Is your application ready for SHA-256 by August 15?

If you operate an application connected to WAYF as an SP or an IdP, please pay attention that from August 15 on, WAYF will validate and itself issue digital signatures exclusively based on the SHA-256 hashing algorithm.

This is not about HTTPS — but about the digital signatures used in the federation protocol “on top of” HTTPS, i.e. about the XML signatures in login responses, and the values of the Signature GET parameter with login requests and logout messages. In the browser you can, using certain plug-ins (FireFox, Chrome), see in the protocol traffic with what algorithm its signature has been hashed: in GET traffic, the value of the SigAlg parameter; in POSTed XML documents, the value of Algorithm in elements SignatureMethod, DigestMethod. From August 15 on, only values ending in sha256 should be encountered there.

WAYF already validates signatures hashed using SHA-256. So, if you operate an app communicating with WAYF, you may already now configure it to using SHA-256 when processing digital signatures with WAYF. If you haven't done so by August 15, your application will stop working with WAYF on that day.

If your app is an SP towards WAYF, you must make sure it is able to validate SHA-256-based signatures within login responses before August 15. And if your SP signs the login requests it sends to WAYF, you will have to make sure that it uses SHA-256 in the signatures it produces, or that it doesn't sign the requests anymore, before August 15. If you neglect either, your SP will stop working with WAYF on August 15.

Read here how you can test your application's ability to validate SHA-256-based signatures in login responses.

If your app is an IdP towards WAYF, you must make sure it signs its XML login responses using SHA-256, before August 15. If you don't, your IdP will stop working with WAYF on August 15.

If your application has logOUT communication with WAYF, you must make sure it signs and validates logout messages using SHA-256, before August 15. Or WAYF logout will stop working with your application on that day.

Previously, our date for stopping support for algorithms less secure than SHA-256 was July 1. But this deadline has now been extended to August 15.

SHA-256
ACCEPTED
SHA-1
REJECTED